1. INTRODUCTION
1.1. Background
To date, probabilistic safety assessments (PSAs) have been performed for the vast majority of nuclear power plants (NPPs) worldwide and are under various stages of development for most of the remaining NPPs. PSA provides a comprehensive, structured approach to identifying accident scenarios and deriving numerical estimates of risks. In addition to the traditional deterministic analysis, it is a powerful tool for identification of significant accident sequences
1and associated plant vulnerabilities dealing with the design and operation of the plant. General guidance on performance and independent verification of the safety assessments for NPPs, both deterministic and probabilistic, is provided in the IAEA Safety Standards, e.g. in Ref. [1].
PSA is increasingly being used in many countries, in a complementary manner to the traditional deterministic analysis and defence-in-depth considerations, as part of the decision making process to assess the level of safety of nuclear power plants and to support various risk-informed applications. Regulatory bodies in many countries require that a PSA be performed for licensing purposes. PSA has reached the point where, if performed to acceptable standards, it can considerably influence the design and operation of nuclear power plants. The quality of PSA is then becoming a matter of the ‘robustness’ of the decisions.
In order to promote the use and application of PSA techniques in Member States, the IAEA has developed detailed technical guidance on how to carry out PSA for nuclear power plants. There are publications describing the overall process and procedures of performing a PSA (see Refs [2-4]). For specific PSA areas or tasks where it was felt that more detailed guidance is needed, separate publications have been produced, such as for common cause failure (CCF) modelling (see Ref. [5]) or human reliability analysis (HRA) (see Ref. [6]). The publications provide information and recommendations and reflect accepted practices consistent with the knowledge at the time they were written. Reference [2], for example, provides procedures for conducting Level-1 PSAs for internal events for full power initial conditions in accordance with the state of the art of PSA in the beginning of nineties. That publication has been successful in helping to standardize the framework, terminology, content and format of documentation of PSAs in IAEA Member States, while providing for flexibility to introduce new and alternative methods.
Increasingly, during the last years PSA has been broadly applied to support numerous applications, such as risk-informed changes to technical specifications, risk-based plant configuration control, maintenance program optimization, etc. The IAEA has developed a technical document (see Ref. [7]), which summarizes information on up-to-date PSA applications and includes technical and methodological aspects, examples, and limitations, as well as the regulatory perspective on the use of PSA and numerical goals and acceptance criteria for decision making. A number of applications require specific features of the PSA and of certain PSA elements. A Technical Committee meeting, held in Vienna, May 28–
June 1, 2001, on quality and consistency of PSAs identified the need for guidance on a
1 In this publication, it is assumed that the user will define an objective criterion to identify what is a significant accident sequence. An example of such a criterion is the following: a significant accident sequence is one of the set of sequences, defined at the functional or systemic level, that, when ranked in decreasing order of frequency, comprise a significant percentage (e.g. 95%) of the core damage frequency (CDF), or that individually contributes more than a measurable percentage (e.g. 1%) to CDF.
process to review a PSA to determine its technical adequacy for addressing specific applications, or in other words, to provide guidance to assure that a PSA is of sufficient quality to support the application. The same idea was highlighted at the Conference on Topical Issues in Nuclear, Radiation and Radioactive Waste Safety (IAEA, September 2001) that emphasized the necessity to ensure a high quality of PSAs for the support of risk-informed decision making. The meaning of ‘high quality’ in this context was meant to be different for each PSA and to be defined as being commensurate with the intended use of a PSA. The present publication is a response to those recommendations.
The publication takes into consideration the advanced worldwide experience in the area of PSA quality assessment and verification, and in particular the ASME Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications (Ref. [8]). The starting point for the development of the technical attributes presented here in Sections 4 through 12 as the basis for the assessment of technical adequacy of a PSA was the set of requirements for the Capability Category II PSA presented in the ASME Standard (Capability Category II requirements are representative of currently accepted good industry practices in the USA.) 1.2. Objectives of the report
Various applications of PSA require that PSAs used to support those applications have certain characteristics in terms of their scope, degree of detail, technical adequacy of the modelling, the capability and flexibility to perform the required calculations, the capability to support interpretation of the results, the quality and type of the data used, and of the assumptions made in modelling important aspects. The features of a PSA that are necessary to support specific applications vary with the application. This report provides information regarding the features, written in the form of attributes of the major PSA elements, which are appropriate for carrying out various PSA applications. In so doing, this publication provides a basis for judging the quality of the PSA used to support an application as discussed in the next section. General attributes are formulated for a ‘base case PSA’ that in the framework of this publication is defined to be that PSA that is used to assess the overall plant safety level.
Special attributes are provided for specific applications where appropriate.
The notion of ‘PSA quality’ should be distinguished from the notion of ‘quality assurance’. ‘PSA quality’ for a specific purpose refers to the technical adequacy of the methods, level of detail and data used to develop the PSA model. In order to assure that the chosen methods and data are used, applied, and documented in an adequate and controlled manner, a dedicated quality assurance programme needs to be established that also addresses applications of PSA. How to set up and effectively apply an appropriate quality assurance programme for PSA and its applications is described in the publication ‘A framework for a quality assurance programme for PSA’, IAEA-TECDOC-1101, Ref. [9]. As distinct from that publication, the present TECDOC focuses on the technical information regarding approaches, methodology and data to obtain appropriate technical PSA features for specific applications.
Thus, for a specific PSA application with a particular PSA, the approach provided in the publication can be used as a basis to formulate a specific technical framework for carrying out the PSA application. For these reasons this publication concentrates on technical PSA aspects.
In Figure 1 the overall framework for the assurance of the quality of PSA results for applications is shown identifying the roles of the existing IAEA publications and the present publication.
It is expected also that the publication will provide a technical framework for the
PSA-related services and International Probabilistic Safety Assessment Review Team (IPSART)
missions being conducted by the IAEA on request of Member States, in addition to the existing guidelines, i.e. Ref. [10].
1.3. Quality of a PSA for an application
For the purposes of this publication, PSA quality is defined in general terms in the following way:
“In the context of an application, the PSA is of an appropriate quality if it conforms to a set of attributes that are appropriate for the application.”
Fig. 1. Framework of PSA quality and supporting IAEA publications.
The key to defining quality then is in the definition of the attributes. The attributes that
are required for a particular application depend on the purpose and characteristics of the
application. When used as an input to a decision, the attributes required are a function of the
process for decision making, and in particular address the acceptance criteria or guidelines
with which the PSA results are to be compared. The acceptance criteria are generally in the
form of a numerical value associated with a specific metric. Examples of metrics are the
absolute value of, or increase in, core damage frequency, and importance measures. The
metrics commonly used are defined in Appendix I to this publication. The PSA has to be
capable of evaluating the appropriate metrics for each application. However, the method for
performing the comparison of the results of the PSA with the criterion also has an impact on
the attributes required. For example, the criterion may require use only of a mean value, or it
may require the full characterization of uncertainty as a probability distribution on the value
of the metric. Thus identifying the additional attributes requires an understanding of the
method proposed for generating and using the PSA results.
Two types of attributes are defined in this publication:
- General attributes, which apply for a typical ‘base case PSA’ (for the definition of a
‘base case PSA’ see the discussion below). The general attributes apply for all PSAs and applications.
- Special attributes, which generally provide enhanced capabilities supporting certain applications of a PSA. Special attributes may not be met in a ’base case PSA’.
The purpose of a ‘base case PSA’ is the assessment of the overall plant safety as described for example in Appendix II of this publication. Thus, the set of general attributes describing the technical features of a ‘base case PSA’ in this publication corresponds to the PSA application ‘Assessment of the Overall Plant Safety’. The general attributes represent a fundamental set of attributes that can be recognized as being associated with the performance of a technically correct PSA in accordance with the present state of the art methodology and technology. According to Ref. [10], “the current state of the art of PSA is defined by the way PSAs have been practically performed in recent years by Member States according to existing guidelines and using accepted methodologies and techniques.” To summarize, it is understood in this publication that the general attributes represent a minimum set of the attributes needed to perform a state of the art PSA with the aim to assess the overall plant safety. State-of-the-art is taken to be synonymous with generally accepted good practice.
Special attributes provide elevated capabilities in terms of resolution, specificity, scope, realism, and less uncertainty for aspects of the PSA needed to support specific applications, but still corresponding to the current state of the art. Special attributes are defined in such a way that, when they are met, the corresponding general attributes will certainly be met. Different PSA applications may require different special attributes.
Special attributes may arise because of the need to model specific impacts of changes proposed by the application, which may require a higher level of detail for certain elements than required for the base case as defined in this publication. In addition, special attributes may be required to address unique acceptance criteria for the application.
On the other hand, there might be applications for which not all the attributes would need to be met, or for which some attributes can be relaxed. These are applications for which either the risk information required is limited, or for which the approach to decision making compensates for a lesser level of detail or plant-specific fidelity in the PSA by making a more conservative decision than would be the case for the more detailed, plant-specific model. An example of the latter is an application that addresses relaxation of requirements on components considered to be of low safety significance. Use of a more detailed and more plant-specific PSA would allow more components to be classified as low safety significant, when compared with what would result from use of a less detailed model. However, even in this case, the PSA used to support that application must be technically adequate.
For many applications, the acceptance criteria may require the consideration of all
contributors to risk. It is recognized that specialized PSA methods are needed to perform the
analysis of core damage resulting from internal hazards, such as internal fires and floods, or
external hazards, such as earthquakes, high winds, etc., and from different plant operating
modes, such as low power and shutdown modes. These specialized analyses are identified in
this publication as being separate modules
2of a PSA. The scope of a PSA is defined by the modules it contains.
Which attributes are met determines to some extent the role the PSA can play in the decision making process. When it is clear that the confidence in the accuracy of the PSA results is high, the PSA can play a significant role. When confidence in the accuracy is less, it must play a lesser role. However, in either case, the PSA still has to have a quality commensurate with its role. What makes the distinction between these cases is that those attributes that enhance realism are not necessary met in the latter case.
When using information presented in this publication, it is proposed that in case a PSA analyst considers that an application does not necessarily require compliance with a general or special attribute or attributes, this should be reliably justified in terms of the analysis consistency and absence of impact of a missing attribute(s) on PSA results and insights used for decision making.
1.4. Scope of the report
The detailed IAEA PSA procedures mentioned above (Refs [2-4]) mainly concentrate on general features and content of PSAs. In these publications, a limited consideration is given to the particular features of PSA conditioned by specific PSA applications. It should be also mentioned that a number of approaches and techniques described in these procedures, in particular in the Level-1 PSA procedure (see Ref. [2]), have been further developed, so the present publication takes into account the current state of the art regarding various aspects related to PSA methodologies.
In recognition of the different levels of maturity in the state of the art for the various PSA modules, and due to a comprehensive amount of information to be covered, the scope of this publication is restricted to a Level-1 PSA for at power operation for internal events caused by random equipment failures and operator errors. Consideration is not given to other sources of radioactivity except for the reactor core. Level-2 PSA, internal fires and floods, external hazards like earthquakes, tornadoes, and other natural and man-induced hazards are not included in the scope of this publication, and neither is PSA for the shutdown and low power operation modes. These PSA modules could be covered in separate publications later.
However, it should be specifically pointed out that applications may require that the scope of the PSA is complete in terms of consideration of all relevant contributors to plant risk and analysis levels. It is not the intent of this publication to address what has to be done to compensate for the limited scope of the PSA in these circumstances. Nor does this publication attempt to describe what has to be done to compensate for attributes that are not met. These considerations are left to the decision-makers. However, Appendix II provides a general discussion regarding what PSA scope and risk metrics may be needed for specific applications.
An emphasis is made on describing the attributes of a ‘base case PSA’ being fundamental for other considerations relating to specific PSA applications. The publication concentrates also on describing the appropriate features and attributes of PSA and of PSA elements and relates them to specific applications by indicating additional features and characteristics important from the viewpoint of specific applications. Only a summary of PSA
2 A PSA module is a probabilistic safety analysis, which addresses a certain type of hazard (e.g. high winds, earthquakes, internal fires), plant operating mode (full power, low power, shutdown), radioactivity source (reactor core, spent fuel pool), and analysis level (Level-1, Level-2, Level-3).
approaches, techniques, and tasks is given. The publication provides information on what has to be done rather than how it should be done. Thus, regarding detailed procedures for PSA tasks, reference is made to the appropriate available PSA procedures and the publication is not intended to replace them.
1.5. Structure of the report
Because this report is oriented towards supporting applications of PSA, first, an overview of current applications is given in Section 2. Section 3 introduces the main PSA elements, and provides a description of the process one should follow to determine whether the PSA is of an appropriate quality for an application of interest. The attributes of the PSA elements are provided in Sections 4 through 12 separately for each PSA element, covering both general attributes (applicable for the ‘base case PSA’), and application-specific ones (i.e.
special attributes). Section 13 discusses the special attributes appropriate for PSA applications and outlines a practical procedure for determination of the special attributes relevant for the application of interest. It also provides a table mapping the special attributes to the PSA applications. Conclusions are provided in Section 14. Appendix I provides definitions of the risk metrics referred to in the publication. Appendix II provides summary information on PSA applications, including their general description, applicable risk metrics, remarks on use of PSA models to support specific applications, and examples. Appendix III presents a table linking the PSA elements discussed in Sections 4 through 12 to the list of PSA tasks from the IAEA Procedure Guide on Level-1 Internal Event PSA (see Ref. [2]).
1.6. Applicability
There are three major limitations regarding the applicability of this publication which are as follows:
1. The information presented is directed towards PSA and PSA applications for nuclear power plants. Thus, this publication is not directly applicable for research reactors, for example.
2. The publication focuses on PSA and PSA attributes for vessel type light water reactors (LWRs), although a vast majority of general and special attributes are applicable for other reactor types as well. The applicability of the PSA element descriptions and of PSA attributes given in this publication for nuclear power plants with other reactor types is discussed below.
3. The publication is focused on PSA approaches, modelling and data for a typical ‘mature’
nuclear power plant, which has been in operation for a number of years without major changes in the plant. The applicability of the PSA elements descriptions and of PSA attributes given in this publication for nuclear power plants in other stages of the plants lifetime is discussed below.
1.6.1. Applicability for reactors other than vessel type LWRs
The present predominant reactor types for nuclear power plants are vessel type LWRs.
PSA approaches and techniques have therefore been mostly developed and applied for this
kind of NPPs. For this reason the publication focuses on PSA and PSA attributes for vessel
type LWRs. Most of the PSA approaches and techniques can also be applied and used for
other reactor types such as gas cooled reactors and CANDU (i.e., data analysis, human
reliability analysis, systems analysis, etc.). Therefore, the attributes described in this
Dans le document
Determining the Quality of Probabilistic Safety Assessment (PSA) for Applications in Nuclear Power Plants | IAEA
(Page 9-0)